Choosing an apt AML Software for DPMS

Dealers in precious metals and stones are one of the Designated Non-Financial Businesses and Professions (DNFBPs) required to comply with anti-money laundering and combating financing of terrorism (AML/CFT) regulations in the UAE. Non-compliance with AML requirements has severe consequences, including monetary fines, administrative penalties, and reputational damage. The importance of choosing an apt AML software for the DPMS sector cannot be overstated. Adopting an appropriate AML compliance software for Dealers in Precious Metals and Stones is very important to ensure compliance with the AML requirements and safeguard your precious metals and stones business against exploitation by financial criminals.

This article discusses the critical consideration for selecting the right AML software for your AML compliance needs.

Understanding the AML Compliance requirements for Dealers in Precious Metals and Stones in the UAE

Before selecting an AML screening solution, we must understand the AML compliance requirements in the UAE and why a dealer in precious metals and stones must comply with these AML requirements.

Money laundering is concealing the source of the illegally obtained funds and disguising the same as proceeds from legitimate business activities. Financial criminals often use precious metals and stones to launder their dirty and illicit money without attracting the attention of the regulatory authorities. Precious metals and stones are commonly used for laundering funds, given their inherent characteristics – high in value, compact in size and easy to transport across borders.

What are “Precious Metals and Stones” in UAE under the AML regulations?

Under UAE AML regulations, the following are considered “Precious Metals and Stones”:

Precious Metals

Gold (minimum purity of 500 parts per 1,000)
Silver (minimum purity of 800 parts per 1,000)
Platinum (minimum purity of 850 parts per 1,000)
Palladium (minimum purity of 500 parts per 1,000)

Precious Stones

Rough diamonds of any weight in carats
Polished diamonds (minimum weight of 0.3 carats per stone if loose, or a minimum weight of 0.5 carats per any single stone mounted in a setting)
Coloured Gemstones like Emeralds, Rubies, and Sapphires (minimum weight of 1 carat per stone if loose, or a minimum weight of 2 carats per any single stone mounted in a setting)

Pearls

Loose (minimum diameter of 3 millimetres per bead)
Strung or mounted in a setting (minimum diameter of 10 millimeters per any single bead)

Other

Any object with a minimum 50% value of the object is comprised of precious metals and stones.

Who is Dealer in Precious Metals and Stones in UAE?

A person engaged in any of the following activities related to precious metals and stones would be treated as a dealer in precious metals and stones (DPMS) in UAE:

Extraction, refining, cutting, polishing or fabrication
Import or export
Purchase, sale, re-purchase or re-sale, including scrap sale of precious metals and stones
Barter, or exchange of precious metals and stones
Loan or lease arrangements
Possession of precious metals and stones, e.g., as a fiduciary, warehousing, or safekeeping arrangement
Job work arrangement, e.g., cutting, polishing, refining, casting or fabrication services related to precious metals and stones.

What is AML Compliance in UAE?

Anti-money laundering (AML) compliance is a set of regulations and governing frameworks focused on detecting and preventing the process of laundering illegal money from entering into a legitimate financial system. In UAE, the primary AML/CFT regulations are the Federal Decree-Law No. 20/2018, and its implementing guidelines in Cabinet Decision No. 10/2019.

AML compliance is essential to safeguard the business from being vulnerable in the hands of money launderers. By developing a comprehensive AML compliance framework, businesses can detect and prevent suspicious activities on time without getting their business impacted by financial criminals for money laundering activities.

The AML regulations in the UAE mandate that Financial Institutions, Virtual Assets Service Providers (VASP) and certain Designated Non-Financial Businesses and Professions (DNFBPs) comply with these regulations. Dealers in precious metals and stones are one of the DNFBPs, required to design and implement AML/CFT policies, procedures, and controls to identify, prevent, and report suspicious transactions and activities related to money laundering and terrorism financing.

An AML Compliance Software helps meet KYC, Screening, and Reporting requirements and saves time and costs.

Why is AML Compliance necessary for Dealers in Precious Metals and Stones in the UAE?

As precious metals and stones are considered as closely associated with money laundering typologies, the dealers in precious metals and stones are entrusted with the responsibility of iden

tifying any red flags intended towards using precious metals and stones for conducting the money laundering process.

Following are a few ML/FT red flags for dealers in precious metals and stones:

Customer requests reshaping of gold into ordinary-looking items to hide the nature of precious metals
Customer frequently trades diamonds and gold jewellery for cash in small incremental amounts
Transaction involving precious metals with unusual characteristics, not matching market standards
Charitable organization requesting to buy gold worth AED 1 million, not aligned with the customer’s activities, etc.

Complying with AML regulations helps the business from non-compliance penalties and protects the business from reputational damage. With your commitment towards complying with AML compliance requirements, you gain trust and respect from your customers, suppliers, and other stakeholders, achieving customer loyalty and long-term commercial benefits.

AML compliance is a necessary part of the routine business operations of a dealer in precious metals and stones, ensuring the business does not aid any financial criminal in laundering the illegal proceeds of crime.

An AML Screening Software will help you meet legal obligations and counter money laundering and terrorism financing.

Key Features and Functionalities of an Ideal AML Software

AML compliance is integral to any business operation to maintain integrity and avoid non-compliance penalties. With increasing importance and awareness about AML compliances, new technological solutions are designed to detect, prevent, and report money laundering activities. To ensure the completeness and accuracy of the AML compliance requirements, the selection of the right AML software is necessary. While finalizing the AML software, the following key features must be emphasized.

Customer Identification and Verification

The AML software must support the performance of customer due diligence, including Customer identification and identity verification of the customers and their beneficial owners. The customer identification process should be accurate and reliable to determine whether the customer is the one he claims to be. The software should also be able to verify the customer’s address, nationality, and date of birth.

The software should support identifying the designated person or entity mentioned in the sanctions list, specifically in the UAE Local Terrorist and UNSC Consolidated lists. Further, the AML software should also allow screening of the customers and the ultimate beneficial owners against the global list of Politically Exposed Persons (PEP) and adverse media searches.

Risk Assessment and Management

The AML software should allow the Dealers in Precious Metals and Stones to assess the ML/FT risk for each of the customers and, thus, overall enterprise-wide risk assessment. The risk assessment process should be robust and accurate, considering all the relevant risk parameters such as the customer’s business activities, geographies involved, the transactional elements like mode of payment and the frequency of transactions, beneficial ownership, association with PEP, etc.

The risk scoring methodology of the AML compliance software must be simple to understand but comprehensive, assisting the AML Compliance Officer in taking necessary due diligence measures depending on the risk rating to manage the money laundering risk.

Ongoing Monitoring

The AML Compliance software should allow for maintaining and monitoring the customer’s profile and transactions executed with the customer. The transactions should be monitored against the customer’s information file to detect suspicious or unusual activity. Any unusual pattern or mismatch between the customer’s profile and the activities must be highlighted for further investigation by generating an alert. The flagging of the ML/FT red flags would ensure timely actions to prevent or mitigate the impact of the risks.

Regulatory Reporting and Record-Keeping

The AML screening software should support the generation of intelligent and analytic reports to monitor the organisation’s compliance status.

The retention of the necessary AML records and documents must be enabled in the AML software, as required under the UAE AML regulations. The software should maintain a complete audit trail and history of the compliance activities, including the customer screened, transactions monitored, alerts generated, etc. This AML recording-keeping functionality of the AML software should serve as documentary evidence to be furnished to the regulatory authorities as proof of AML compliance.

Integration with Existing Operational Systems

The AML software should integrate easily with the business’s existing systems, processes and databases to ensure efficient AML compliance management without hampering any routine business operations. The precious metals and stones dealers can easily integrate their CRM solution with the AML software and streamline the customer due diligence process.

With comprehensive data around AML compliance available in one place, the AML Compliance Officer can review the organisation’s compliance level and ensure the quality of the AML compliance framework implemented across the organization.

Selecting the right AML compliance software is of utmost importance to ensure that dealers in precious metals and stones comply with relevant AML compliance obligations and safeguard themselves from being used for money laundering activities. Right AML Software will equip you with the resources to effectively manage your 100% AML compliance requirements.

Evaluating AML Software Providers

Selection of the right AML software vendor is equally important. You may have the best of the AML software, but you may not optimally use the features if the software provider is not professional and does not provide handholding support. Partnering with the wrong AML software provider can cost you non-compliance fines and reputational damage. Here are a few key factors to consider when evaluating AML software vendors:

Reputation and Industry Experience

The AML software provider’s reputation and industry experience are among the most important factors. Look for an AML screening software provider with experience in the precious metals and stones industry. With the vendor’s understanding of the business operations and the industry, you will get customized AML software mapped with the AML compliance requirements of the dealers in the precious metals and stones sector.

You can check the Name Screening Software vendor’s reputation and experience by referring to online reviews, customer feedback and testimonials from other dealers in precious metals and stones. It helps you make decisions, providing information about the vendor’s strengths and weaknesses and their commitment to customer satisfaction.

Customer Support and Training

Another key factor to consider is the level of post-implementation customer support and training the AML compliance software vendor provides. Implementing AML software is a different task from buying one. The implementation requires support from the vendor in configuring the features as per business needs, training the employees to use the AML screening solution and extending post-implementation ongoing support to manage any issues while using the AML software, which may arise in future once the software is live.

Pricing and Contract Terms

The budget and cost of the AML software are other crucial factors while the software providers. Look out for any additional hidden charges or costs, such as implementation or annual maintenance costs. The contractual arrangement with the vendor must be clear and transparent, laying down the scope of AML software.

Scalability and Customization Options

One-size-fits-all is not a practical principle in business. The AML software must support customization, allowing the businesses to tailor-make the AML compliance software per the business needs and compliance obligations of the dealers in precious metals and stones. Further, the solution must be scalable, supporting the organisation’s growing business. The AML software, which allows scalability and customization, is always preferred over other AML software.

Selection of the right AML software, supported by the right software vendor, is necessary for the long-term success of the investment in AML technology and for ensuring 100% AML compliance in your precious metals and stones business.

Rightfully implementing the AML Software in the Jewellery Business

Managing AML compliance is necessary to keep financial criminals away from the precious metals and stones business and avoid regulatory fines for non-compliance and reputational damage. With effective implementation of the software, you can manage your AML compliance. Take care of the following aspects while going live with the AML software, and half of your AML compliance job is done:

Configuration of the AML Software

The AML software must be aligned with local and international regulatory developments and the latest data sources to ensure accurate and correct AML compliance by dealers in precious metals and stones.

Preparing the Team

The compliance team must be well-trained in the AML software’s features and functionalities to use the AML software efficiently. The training should discuss the AML compliance obligations and how the software will help achieve each AML compliance requirement.

While deciding on the AML software, AML Compliance Officer, IT professionals and senior management must be involved. This will ensure that the Compliance Officer is satisfied with the solution’s functionalities, the IT team approves the technical configuration and data security, the management signs off the investment in AML software, and shows commitment towards compliance.

How can Niyeahma assist you in selecting the right AML Software for your precious metals and stones business?

The quality and effectiveness of AML compliance depend on the resources deployed, including AML Software. Appropriate AML compliance software will help your business achieve 100% compliance with AML regulations prevalent in the UAE.

Niyeahma is one of the leading AML consultancy service providers in the UAE, assisting clients in setting up and implementing the AML compliance framework. Our domain experts and AML professionals understand your business requirements and help you identify the most appropriate AML solution, including discussing the solution’s functionalities and negotiating prices with vendors.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

Importance of AML Regulatory Awareness amongst the DNFBPs

Financial crime significantly threatens the integrity of countries and businesses. Given that Designated Non-Financial Businesses and Professions (DNFBPs) play a significant role in the financial system, they are also prone to financial crime threats, making them susceptible to being exploited by criminals for illicit activities. These financial crimes include money laundering (ML), financing of terrorism (FT), and proliferation financing (PF).

In this context, the DNFBPs established in Singapore must understand and comply with regulations concerning ML/FT and PF crimes.

Thus, DNFBPs must have adequate AML regulatory awareness to promptly identify and mitigate the risks of ML/FT and PF. Understanding ML/FT and PF risks and regulatory frameworks is essential for DNFBPs to adopt effective preventive measures to safeguard the business against such vulnerabilities and comply with regulatory frameworks.

What is ML, FT and PF?

Financial crime is an umbrella term encompassing the three vices adversely impacting the world’s financial ecosystem: money laundering, terrorism financing, and financing the proliferation of weapons of mass destruction. Although ML, FT, and PF are often used together, there are certain fundamental differences between them.

Money Laundering (ML)

The crime of ML means disguising criminal proceeds and their illegal sources to make them appear as if generated from legitimate activities. In a general sense, ML is converting dirty money into clean money. It usually involves three stages—placement, layering, and integration—through which the illicit funds are placed in valid financial systems, routed through complex transactional structures, and commingled with legally obtained funds.

Financing of terrorism (FT)

FT is an activity of funding terrorist activities, which can be done irrespective of the source of the fund, i.e., the money used for terrorism financing may be from legal or illegal activities. Therefore, unlike ML, where the proceeds are from illicit activities, the source does not matter in the crime of FT. It is concerned with giving away money to terrorist organisations executing terrorist attacks or propagating the anti-social agenda.

Proliferation Financing (PF)

PF refers to the act of providing funds or any other services in relation to the manufacture, acquisition, possession, development, export, trans-shipment, transfer, stockpiling or use of nuclear, chemical or biological weapons for mass destruction and related materials for non-legitimate purposes.

These financial crimes impact the country’s economy, peace, security, and stability of the financial system.

What is ML, FT and PF Risk?

ML, FT and PF risk or the overall financial crime risk for the DNFBP is the potential exposure that the DNFBPs may face on account of it being used as a medium for facilitating money laundering, terrorism financing, or proliferation financing.

These risks may arise from the nature of the entity’s business, the geographies it is connected with, the customers it handles, or the products/services it offers.

These risks may hamper the business’s stability, harm its reputation and result in financial losses, including huge administrative penalties.

Why are DNFBPs in Singapore prone to ML/FT and PF risk?

Under Singapore’s existing AML regulatory regime, the primary businesses and professions classified as DNFBPs are:

Dealers in Precious Stones and precious Metals (PSPM)
Real Estate Sector Agents and Developers
Lawyers
Corporate Service Providers
Public Accountants
Casinos
Pawnbrokers

As a global financial hub, Singapore attracts various customers and businesses, which increases the likelihood of exploiting these DNFBP segments for illicit financial activities and makes them vulnerable to ML/FT and PF risk.

For example, a criminal from a foreign country may visit Singapore and misuse a PSPM dealer to buy high-value gold or diamonds against the funds illegally generated in the home country. A registered financial agent may also be used to set up a shell company in Singapore, which shall be used as a vehicle for cross-border funds movement without engaging in real commercial operations.

How does the awareness of Singapore’s AML regulatory framework help DNFBPs?

The DNFBPs in Singapore are mandated to implement necessary risk mitigation measures as prescribed in the AML laws. The DNFBPs must understand the AML regulatory framework applicable to their operations and integrate the business activities with the relevant complince obligations. Following is a list of a few indicators highlighting the importance of why DNFBPs in Singapore must be aware of the country’s AML regulatory framework:

Ensuring Continuous Regulatory Compliance

Knowledge and awareness of Singapore’s AML regulations help DNFBPs comply with regulatory requirements. Staying up-to-date with the regulations also helps DNFBPs learn about the new risk mitigation measures prescribed by the authorities to combat the newer ML/FT typologies.

Further, sound knowledge of the laws also helps businesses understand the consequences of non-compliance, such as penalties, fines, and other charges imposed by regulators. With a command over regulations, DNFBPs can avoid and reduce the imposition of penalties and breaches, demonstrating their commitment to responsible business practices.

For example, Regulated Dealers in Precious Stones and Precious Metals are required to file a Cash Transaction Report (CTR) for specified transactions. Thus, unless the dealer is aware of this requirement, there is a high likelihood of missing such compliance and intimating the authorities of the transactions carried in cash involving buy/sell or precious metals and stones.

Crafting Tailormade IPPC and Effectively Combating the ML/FT/PF risk

A thorough understanding of AML laws helps DNFBPs understand the compliance obligations and risk mitigation measures they must follow to protect their businesses and the economy.

AML regulatory awareness would help DNFBPs develop an AML program consisting of internal policies, procedures, and controls (IPPC), driving their ML/FT risk mitigation framework. The IPPC would be comprehensive only if the DNFBP understood the laws and regulations applicable to their business industry. This legal awareness would help the DNFBP detail the methodology for assessing the business risk, customer onboarding (Customer Due Diligence) process, AML governance structure, AML record-keeping mechanism, identification and reporting of suspicious transactions, etc.

With a robust, comprehensive, and documented AML program, the DNFBPs could educate the team and leverage the resources to identify the exposure to ML/FT and PF risks in a timely manner and promptly deploy the necessary risk mitigation actions.

Therefore, a grasp of the regulatory framework helps frame AML policies, procedures, and controls aligned with best practices and regulatory compliance. This leads to better implementation of statutory commitments within the organisation.

Building Trust and Brand Value

Knowledge of regulatory frameworks helps the DNFBPs better implement the AML compliance measures, demonstrating their commitment to combating financial crimes and building a safe and secure working environment. This builds a good business image, promoting growth significantly. Additionally, an adequate compliance culture creates an affirmative reputation among the authorities.

Further, with a comprehensive understanding of regulatory frameworks, DNFBPs promote ethical conduct and avoid penal implications and legal liabilities.

In the age of global trade, knowledge of country regulatory compliance and international requirements is important for businesses wanting to expand their business across borders. Along with an understanding of local regulations, the knowledge of Singapore’s collaboration with international organisations, such as the Financial Action Task Force (FATF), would also help DNFBPs navigate the complexities of global trade with integrity and conviction. DNFBPs with such knowledge can effectively comply with international requirements when engaging in international business and transactions. Businesses complying with AML regulations are always preferred as trusted business partners.

Thus, regulatory awareness increases trustworthiness and respect, attracts new customers and investors, and improves the business’s overall performance.

Selecting and Integrating the Business with Adequate AML Solutions and Tools

With the development in the technological sector, various AML tools and software are available that make AML compliance efficient and easy. Understanding the regulatory framework helps a business identify and deploy the best AML solutions, which helps in effectively implementing the designed AML procedures and controls. These tools with advanced features help businesses automate manual and repetitive processes, such as name screening and ongoing monitoring, and optimising the use of resources. Furthermore, DNFBPs with knowledge of regulations better allocate business resources while ensuring AML compliance.

Primary AML Regulations applicable to DNFBPs in Singapore

In Singapore, the government has enacted various regulations to prevent ML/FT and PF. Here is the list of primary regulations that apply collectively to all DNFBPs in Singapore:

Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act, 1992

The Corruption, Drug Trafficking and Other Serious Crimes Act (Confiscation of Benefits), 1992 (‘CDSA’) is the primary regulation imposing a statutory obligation on reporting entities, including DNFBPs, to detect and report suspicious transactions to the authorities. The CDSA was enacted to provide a regulatory framework for combating corruption, drug trafficking, and other serious crimes, including financial crimes like money laundering.

Terrorism (Suppression of Financing) Act, 2002 (TSOFA)

The Terrorism (Suppression of Financing) Act, 2002 is Singapore’s primary legislation focused on suppressing terrorism financing. It was enacted to give effect to the International Convention for the Suppression of the Financing of Terrorism, a United Nations (UN) treaty, and to restrict terrorism financing more efficiently.

Prevention of Proliferation Financing and Other Matters Act 2024

The Singapore Government recently passed the bill and introduced the Prevention of Proliferation Financing and Other Matters Act 2024. The PPFOMA amends provisions laid down in CDSA and various supporting acts governing DNFBPs to prevent the financing of the proliferation of weapons of mass destruction. The PPFOMA aims to enhance and strengthen the existing AML/CFT framework by including the PF as a criminal activity and extending the applicability to counter measures to this financial crime.

Other Sector-specific Regulations and Guidelines for DNFBPs

In line with the primary statutes mentioned above, various AML supervisory authorities in Singapore have issued detailed regulations and guidelines to help the relevant DNFBPs navigate compliance effectively, seamlessly protecting the segment against the financial crime risk. Some of these regulations and guidelines which the DNFBPs must be aware of and abide by are:

Accountants (Prevention of ML and FT) Rules 2023
ACRA (Filing Agents and Qualified Individuals) Regulations 2015
Precious Stones and Precious Metals (Prevention of Money Laundering and Financing of Terrorism) Act, 2019
Precious Stones and Precious Metals (Prevention of Money Laundering and Financing of Terrorism) Regulations, 2019
Estate Agents (Prevention of Money Laundering and Financing of Terrorism) Regulations, 2021
Legal Profession (Prevention of Money Laundering and Financing of Terrorism) Rules, 2015
Casino Control (Prevention of Money Laundering and Financing of Terrorism) Regulations, 2009

Conclusion

Awareness of Singapore’s AML regulations is essential for DNFBPs to mitigate ML/FT and PF risk and ensure 100% compliance. With a sound understanding of regulatory requirements, DNFBPs can implement essential AML measures tailored to their businesses, safeguarding the business against threats imposed by financial crime activities.

Therefore, familiarity with the AML regulatory framework ensures that DNFBPs comply with legal requirements and maintain the integrity of the financial system.

FAQs on the Importance of AML Regulatory Awareness amongst the DNFBPs

What are DNFBPs in AML?

DNFBP stands for Designated Non-Financial Business and Profession, encompassing real estate agents, lawyers, dealers in precious stones and precious metals, registered filing agents, pawn brokers, accountants, and casinos.

What are the primary laws for AML compliance for DNFBPs?

The Corruption, Drug Trafficking and Other Serious Crimes Act (Confiscation of Benefits), 1992 (‘CDSA’), and Terrorism (Suppression of Financing) Act, 2002 (TSOFA) are the primary laws for AML compliance for DNFBPs.

Why are AML regulations essential for DNFBPs?

AML regulations for DNFBPs are essential as they safeguard DNFBPs from ML/FT and PF risks and provide a systematic methodology to combat the threats of illicit financial activities.

Why are DNFBPs subject to the AML regime?

Although the DNFBPs are part of the non-financial sector, they engage in activities that could be exploited for ML/FT or PF.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article Singapore

How can RegTech help streamline AML compliance?

To keep pace with the ever-evolving regulatory framework around anti-money laundering and the emerging sophisticated ways developed by financial criminals, the AML measures call for advanced technology and tools. This new tech-based solution growing in the market, specifically focusing on anti-money laundering or anti-financial crime regimes, is popularly known as Regulatory Technology or RegTech.

Let us understand what RegTech is and how RegTech can help the regulated entities streamline their AML Compliance.

What Is RegTech?

As mentioned above, RegTech is an abbreviation for regulatory technology, a solution developed using innovative technology to facilitate legal or regulatory compliance with the applicable regulations. RegTech brings in the power of emerging technologies like artificial intelligence and machine learning, data analytics, etc., modernizing the compliance function of the business with optimum automation.

The acceptance of RegTech solutions has grown tremendously over the years with increasing complexities of regulatory obligations and the need to align business operations with compliance processes.

RegTech enables the processing of huge data sets, managing compliance activities efficiently and on a timely basis with effective utilisation of resources and informed decision-making. RegTech solution includes customer identity verification functionality, gathering and monitoring the financial transactions, assessing and managing the customer and business risk, regulatory reporting and compliance management solution, etc.

Regulated entities must consider implementing an appropriate RegTech solution that complements the AML compliance function, reducing the risk of financial crime exploitation and regulatory non-compliance.

How Can RegTech Foster The AML Compliance Program?

In current times, where the financial crimes around misuse of technology and AML compliance obligations are growing, RegTech solutions come as a saviour with customized tools and software to address the financial crime risk and the challenges around AML compliance.

Following are the AML-compliant aspects where automation and RegTech support cannot be overlooked:

Customer Due Diligence (CDD) is an essential element of AML compliance, involving identifying the customer screening and assessing the risk posed by the customer. Here, RegTech solutions can be deployed for identity verification, screening the customer for sanctions, Politically Exposed Person (PEP) list and adverse media and determining the customer’s risk profiling based on the collected customer details. Moreover, this can also be integrated with the entity’s existing systems, like the Customer Relationship Management tool, automating the CDD process in real time.

Ongoing transaction monitoring is another crucial element of AML compliance, aimed at monitoring customer activities and financial transactions to identify red flags. With countless transactions taking place through the entity per day, manually monitoring the transactions and detecting unusual activities is challenging. The task of transaction monitoring becomes effective and efficient with RegTech, which can analyse vast volumes of data, including unstructured data, determine the patterns and predict the transactions to flag potential risks or anomalies. This enables the regulated entities to address the alerts or warning signals immediately and make necessary reports to the Financial Intelligence Unit on a timely basis.

Not limited to customer or transaction-related activities, RegTech solutions do provide functionalities to integrate these two into AML Enterprise-Wide Risk Assessment (EWRA), enabling the regulated entity to identify and manage the overall business exposure to money laundering and terrorist financing. With EWRA being updated on a real-time basis with every customer onboarded and transaction executed, the entity can stay on top of the entity’s ML/FT risk and promptly modify or upgrade the controls to mitigate the assessed risk.

Further, some RegTech solutions extend this transaction monitoring system to support automated reporting of the Suspicious Transaction Reports (STRs) of any other regulatory report with the authorities, using API. This feature ensures the quality and comprehensiveness of the reports submitted to the FIU or other supervisory bodies.

RegTech offers advanced technologies to regulated entities to simplify AML efforts, enhancing the efficiency and accuracy of overall AML compliance.

What Are The Benefits Of Using RegTech For AML Compliance?

The following are the key benefits that a RegTech solution can offer to regulated entities with its powerful tools and automation:

Improved Efficiency Of The AML Compliance Processes

With automation and the capability to churn a large volume of data in a few seconds, the RegTech solution empowers the AML compliance Program of the regulated entity by reducing the time and effort for completing the AML compliance activities. RegTech automates the manual tasks, bringing in quality, speed and accuracy in AML compliance.

With proper tools and technologies, the regulated entities can:

automate the Customer Due Diligence process, making the customer onboarding process smooth while ensuring that no suspected financial criminal slip in the business operations,
process a large number of transactional data, monitoring the business activities in real-time to draw the trends and suspicious patterns and promptly generate an alert for cases warranting further investigation.

This automation reduces manual intervention, with immediate detection of risk indicators and elimination of human error, increasing the efficiency of the AML compliance function.

RegTech enables regulated entities to combine human brains and technological intelligence to run the AML compliance show, allowing optimal use of resources, adhering to the regulatory regime, and creating a robust shield against financial criminals.

Enhanced Accuracy And Reduced Non-Compliance Risk

RegTech solutions offer the power of artificial intelligence and data analytics capabilities that improve the accuracy of compliance tasks. With inherent characteristics of adapting and learning continuously, RegTech monitors the transaction, predicts the trends, and reduces the false positive, enabling the AML compliance team to invest more time investigating the genuine risk vulnerability.

With real-time triggers and alerts for compliance and potential red flags, the regulated entities can promptly handle and address suspicious transactions. This will help the entities prevent money laundering and terrorism financing while complying with the applicable provisions of the AML laws.

Improved Brand Image And Confidence

Deploying RegTech solutions demonstrates the entity’s commitment to fighting financial crime and safeguarding the economy. This boosts the entity’s reputation in the market, building trust and confidence in the business’s customers, stakeholders, and regulatory authorities.

RegTech gives wings to the business to fly high without worrying about the chain of compliance pulling it down, enhancing the effectiveness and efficiency of the AML compliance framework.

What Are The Best Practices For Implementing RegTech Solutions?

For the successful implementation of an appropriate RegTech solution, it is necessary to consider the following factors and adopt the best practices to make the most out of the investment in AML tools and systems:

Before choosing and deploying the RegTech solution, the AML compliance requirements must be mapped as per applicable laws (the Prevention of Money Laundering Act, 2002 (PMLA) or the IFSCA (AML, CFT, and KYC) Guidelines, 2022) and the industry in which the entity operates. Preparing a formal Business Requirements Document specifying the AML compliance obligations and the corresponding features and functionalities needed to meet these obligations is suggested.
As a lot of sensitive data is input into the solution, it is essential to evaluate its security and data privacy standards. The regulated entities must ensure that RegTech complies with data privacy requirements and adequate cybersecurity measures to avoid data breaches and maintain the entity’s reputation and customers’ confidence.
During the pre-implementation phase, the RegTech solution must be tested rigorously using sample data to train and fine-tune the technologies (like Artificial Intelligence or Money Learning) used in the solution. This will reduce the number of false positive alerts, saving time on unnecessary investigations.
RegTech must be checked for its compatibility with the existing systems of the entity. Integration between the two systems is crucial for ensuring the seamless flow of comprehensive and accurate data to stay AML compliant and detect the red flags at the earliest. The regulated entity must upgrade the legacy systems to integrate the required technologies.
The benefits of RegTech cannot be achieved in its true sense unless the compliance team of the entity understands and accepts the solution. The regulated entity must invest time and resources in imparting necessary RegTech training to the team on how the solution can streamline the AML compliance function.

With a systematic approach, the regulated entities can identify the apt RegTech solution and unlock its full potential to augment the AML compliance framework.

How Can Niyeahma Assist You In Leveraging The Benefit Of RegTech To Enhance AML Compliance?

With growing AML compliance requirements and the need to strike a balance between compliance and business activities, the value of RegTech cannot be discounted. With years of experience and understanding of AML compliance activities, AML India can assist the regulated entities subject to PMLA and IFSCA AML Guidelines, identify the right RegTech solution and implement the same spotlessly. AML India can also handhold during the implementation and post-implementation phase, ensuring you stay regulatory compliant and safeguard your business against financial crime vulnerabilities.

With careful implementation of the RegTech solution, let’s gear up for the impactful fight against money laundering and terrorism financing.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article India

TFS Self Assessment Checklist for SARs and STRs

The Ministry of Economy has required Financial Institutions and DNFBPs to respond to their questionnaire on completing the TFS self assessment checklist for SARs and STRs.

The TFS Self-Assessment Checklist has been designed to provide a structured and comprehensive framework for FIs/ DNFBPs to assess compliance with key TFS Transaction monitoring requirements.

This Questionnaire on Completing the TFS Self Assessment Checklist for SARs and STRs is in line with the risk-based approach and methodology that supervisory authorities in UAE have adopted for the assessment of its Financial Institutions (“FIs”) and Designated non-financial business and professions (“DNFBPs”) money laundering / terrorist financing (ML/TF) risk profile through the collection of ML/TF risk indicators measuring threats and vulnerabilities.

The Supervisory authorities in UAE have assessed the Financial Institutions (“FIs”) and Designated non-financial business and professions (“DNFBPs”) exposure to ML/TF risks on a thematic basis, focusing on key ML/TF threats and vulnerabilities derived from the risks outlined in the Financial Action Task Force’s (FATF) 40 Recommendations, the UAE’s National Risk Assessment (NRA) and Topical Risk Assessment.

The purpose of the review is to highlight the generic findings observed within selected FIs and DNFBPs and provide targeted feedback to the sector.

FIs and DNFBPs are advised to read each question in the TFS Self Assessment Checklist for SARs and STRs carefully before answering and use the text box to provide comments where the response to the question requires further elaboration.

Salient Features of this TFS Self Assessment Checklist for SARs and STRs

FIs/ DNFBPs will be able to save and print the checklist as required for their own internal reviews and follow-ups.
The self-assessment checklist is to be completed by the AML compliance officer/MLRO, who has the overall responsibility for establishing and maintaining the regulated entity’s AML/CFT systems and should also approve and sign off the completed checklist.
Each question in the self-assessment checklist provides a number of response options, including ‘Yes’, ‘No’, ‘Not applicable (“N/A”)’.
When the FIs/ DNFBPs confirm the response to be ‘Yes’ to any of the questions in the tick box, it represents compliance with the requirement. For some of the questions, further specified information should be given in the text box for a ‘Yes’ response.

When the FIs/ DNFBPs confirm the response to be ‘No’ to any of the questions in the tick box, it represents a potential non-compliance with the requirement. If the response to a question is ‘No’, the FIs/ DNFBPs should use the text box to additionally document:

How do the FIs/ DNFBPs plan to remediate the potential gap identified;
When do the FIs/ DNFBPs plan to complete the remediation for any potential gaps identified?

When the FIs/ DNFBPs confirm the response to be ‘N/A’ to any of the questions in the tick box, it represents the requirement does not apply to the FIs/ DNFBPs.
Where any deficiencies in your systems and controls are identified, you should construct a remediation plan and discuss this with your superviso

Section 1: General Information

Name of the LFI/DNFBP: Enter the reporting entity name
Checklist Completed By: Enter the name of the MLRO/Compliance Officer
Checklist Completed by: Enter MLRO/Compliance Officer as the case may be
Date of Completion: Provide the date of completion of this TFS Self-Assessment Checklist for SARs/STRs

If you want to understand the role of an independent AML auditor in UAE, you can check our blog, “Role of an Auditor Under UAE AML Compliance”.

Section 2: TFS Reporting

1. Did you register in the EOCN Notification System?

Ans: You may say ‘Yes’ if you have subscribed to the Executive Office For Control & Non-Proliferation’s Sanction List notification system – UN page | EXECUTIVE OFFICE FOR CONTROL & NON-PROLIFERATION (uaeiec.gov.ae) and include remarks in the text box.

2. Did you register in the goAML system?

Ans: You may say ‘Yes’ if you are already registered with the goAML system and add your Ord ID in the text box.

Section 3: TFS Screening

1. Do you conduct screening on UAE Local Terrorist List and UN Consolidated List?

Ans: Say ‘Yes’ if you conduct screening based on the UAE Local Terrorist List and UN Consolidated Sanctions List.

2. Do you have adequate screening systems in place (whether manual or using the third-party tool) to be able to detect potential and confirmed matches to UAE Local Terrorist List and UN Consolidated List.?

Ans: Say ‘Yes’ if you have a manual or software-based screening system in place.

3. Do you check the UN website for press releases (https://www.un.org/press/en/content/press- release) daily to remain vigilant on any updates to UN Sanctions Lists?

Ans: Say ‘Yes’ if you follow the UN press releases as to UN Sanctions Lists.

4. Do you maintain the most up-to-date records of UN Consolidated List and UAE Local Terrorist List at all times in their screening systems?

Ans: Say ‘Yes’ if you keep your manual system or software updated with the latest UN Consolidated List and UAE Local Terrorist List.

5. Do you have a tactical/manual alternative process in place to add any missing names in their screening list, in case they rely on an external list provider for obtaining lists and if there is a delay in any names of recently sanctioned persons to appear in the vendor-provided lists.

Ans: Say ‘Yes’ if you are able to add missing names in the screening list manually in the screening software.

6. Do you conduct screening in the following circumstances: Upon any updates to the Local Terrorist List or UN Consolidated List. In such cases, screening must be conducted immediately and without delay to ensure compliance with implementing freezing measures without delay (within 24 hours).

Ans: Say ‘Yes’ if you perform screening immediately upon an update to UAE Local Terrorist List or UNSC Sanctioned List.

7. Do you conduct screening in the following circumstances: Prior to onboarding new customers.

Ans: Say ‘Yes’ if the screening is part of your customer onboarding process.

8. Do you conduct screening in the following circumstances: Upon KYC reviews or changes to a customer’s information

Ans: Say ‘Yes’ if you conduct screening upon KYC reviews or changes to a customer information.

9. Do you conduct screening in the following circumstances: Before processing any transaction.

Ans: Say ‘Yes’ if you conduct screening before processing any transaction.

10. Do you conduct screening on the following: Existing customer databases. All systems containing customer data and transactions need to be mapped to the screening system to ensure full compliance.

Ans: Say ‘Yes’ if you screen existing customers and transactions, and they are mapped to the screening software.

11. Do you conduct screening on the following: Potential customers before conducting any transactions or entering a business relationship with any Person.

Ans: Say ‘Yes’ if you conduct a screening of your potential customers or others before entering into a business relationship with them.

12. Do you conduct screening on the following: Names of parties to any transactions (e.g., buyer, seller, agent, freight forwarder, etc.)

Ans: Say ‘Yes’ if you screen buyer, seller, agent, freight forwarder, and other parties related to a transaction.

13. Do you conduct screening on the following: Ultimate beneficial owners, both natural and legal.

Ans: Say ‘Yes’ if you screen UBOs.

14. Do you conduct screening on the following: Names of individuals, entities, or groups with direct or indirect relationships with designated persons.

Ans: Say ‘Yes’ if you screen individuals, entities, or groups directly or indirectly associated with sanctioned persons/entities.

15. Do you conduct screening on the following: Directors and/or agents acting on behalf of customers (including individuals with power of attorney).

Ans: Say ‘Yes’ if you screen directors and/or agents acting on behalf of customers, including those holding power of attorney to execute a transaction.

16. Do you maintain records of all screening results (negative, false positive, potential, and confirmed matches) for a period of at least five years?

Ans: Say ‘Yes’ if you maintain screening records at least for a period of 5 years.

17. Do you complete the TFS survey after each sanction alert notification received by the EOCN?

Ans: Say ‘Yes’ if you participate in the TFS Survey after each sanction alert notification received from the Executive Office For Control & Non-Proliferation.

18. Do you conduct screening on trade-based transactions that may involve dual-use goods against the UAE Control Lists?

Items as mentioned on the EO IEC website: https://www.uaeiec.gov.ae/en-us/
Items as per the list mentioned in Cabinet Resolution No. 50 for 2020 concerning the control list annexed to Federal Law No. 13 for 2007 relating to commodities subjected to import and export control.

Ans: Say ‘Yes’ if you deal in such items as per the above lists.

Section 4: Internal Control

1. Do you freeze or suspend, without delay (within 24 hours), all funds or other assets upon identification of confirmed or potential match and refrain from providing any services?

Ans: Say ‘Yes’ if you comply with the above requirements.

2. Do you lift freezing measures, without delay (within 24 hours), on all funds or other assets upon receiving notice of de-listing of the designated person from EO Notification System or upon receiving communication from EOCN on goAML?

Ans: Say ‘Yes’ if you comply with the above requirements.

3. Do you implement Enhanced Due-Diligence (EDD) procedures on all Financial Transactions, including trade transactions linked to High-Risk Jurisdictions?

Ans: Say ‘Yes’ if you comply with the above requirements.

4. Do you have internal procedures to ensure that customers have a valid permit when dealing in the export and import of dual-use items before processing transactions or engaging in business relations?

Ans: Say ‘Yes’ if you deal in dual-use items and comply with the requirements.

5. Do you have alert systems that include both TF and PF sanctions evasion red flags?

Ans: Say ‘Yes’ if you have an alert system for TF and PF sanction evasion red flags.

Section 5: TFS Reporting

1. Do you report any confirmed matches on UAE Local Terrorist List or UN Consolidated List by raising a Funds Freeze Report (FFR) in goAML in a timely manner?

Ans: Say ‘Yes’ if you comply with the above requirements.

2. Do you report potential matches on the Local Terrorist List or UN Consolidated List by raising a Partial Name Match Report (PNMR) in goAML in a timely manner?

Ans: Say ‘Yes’ if you comply with the above requirements.

3. Do you respond to communications (queries, requests for information, etc.) received from EOCN via the goAML message board within 48 hours of receiving the communication?

Ans: Say ‘Yes’ if you comply with the above requirements.

4. Do you conduct adequate internal training and awareness on TFS obligations and sanctions evasion typologies to relevant staff and senior management (e.g., MLROs, Front Desk Staff, Relationship Managers, Compliance Officers, etc.)?

Ans: Say ‘Yes’ if you comply with the above requirements.

5. Does your staff attend TFS training sessions held by EOCN and/or Supervisory Authorities?

Ans: Say ‘Yes’ if you comply with the above requirements.

Section 6: TF and PF Risk Assessment

1. Have you identified and assessed their TF and PF risks for customers, countries or geographic areas, products, services, transactions or delivery channels?

Ans: Say ‘Yes’ if you perform TF and PF Risk Assessment based on customers, geography, products, services, transactions, and delivery channels.

2. Do you verify the nature and extent of the Terrorism Financing and proliferation financing Risk Assesment are appropriate to the nature and size of the Reporting Entities business?

Ans: Say ‘Yes’ if your Risk Assessment commensurates with the nature and size of your business.

3. Do you provide guidance to staff on identifying suspicious activity taking into account the means of delivery, the customer risks, geographical risk and any risk derived from the change of circumstances?

Ans: Say ‘Yes’ if you comply with the above requirements.

4. Do you verify that the TF and PF RA are kept up to date?

Ans: Say ‘Yes’ if you comply with the above requirements.

AML Compliance services 

Niyeahma is the premium AML consulting firm in UAE. We help our customers with goAML registration, business risk assessment, AML policy documentation, AML training, AML software selection, KYC, Screening and Risk Profiling, STR filing, and more. Get in touch with us to remain compliant with UAE AML Laws and Regulations.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

Navigating the AML Regulatory Framework in India

The crime of money laundering poses a significant threat to the integrity of the economy in India. To promote a healthy and safe business environment that is free of financial crime, India recognises the significance of combating illicit financial activities. To achieve this goal, India has adopted a robust framework of regulations and enforcement mechanisms to prevent money laundering and financial crimes within its borders. Businesses operating in India are required to develop a sound understanding of the AML regulatory framework, enabling compliance with the applicable AML laws and sector-specific guidelines.

Additionally, various supervisory authorities have issued guidelines laying down the best practices necessary to identify financial crime instances and mitigate the risks.

Applicability Of AML Law In India

The entities which are subject to AML laws in India are generally referred to as “reporting entities” or “regulated entities”. According to the Prevention of Money Laundering Act, 2002 (PMLA), a reporting entity includes a banking company, financial institution, intermediary or a person carrying on a designated business or profession.

Further, the PMLA also defines persons carrying on a designated business or profession. DNFBPs encompass individuals and entities operating as:

Casinos
Real estate agents
Dealers in precious metals and stones
Individuals who manage cash and securities for others
And any other entities designated by the Central Government through official notification

Recently, the scope of such DNFBPs has been extended to bring the following professionals under India’s AML regulatory framework, when carrying out specified activities in the course of the profession for or on behalf of its clients:

Chartered Accountants
Company Secretaries
Cost and Management Accountants

Moreover, the Ministry of Finance, exercising its power under PMLA, extended the compliance requirements provided in the PMLA to the Virtual Digital Assets Service Providers (VDA SPs).

Individuals and entities involved in the above mentioned businesses and professions need to ensure compliance with PMLA.

Why Is It Important For Businesses To Be Aware Of India’s AML Regulatory Framework?

The aforementioned businesses in India need to understand the AML regulatory framework so their business practice is aligned with the regulatory framework, making efforts to combat the potential financial crime risk to which their business is vulnerable. Here is a list of a few important reasons why businesses in India should be aware of India’s AML regulatory framework:

Establish Adequate Internal AML Compliance And Governance Structure

Having developed a sound understanding of India’s AML regulatory framework helps businesses formulate AML policies, procedures and controls, which enables its customer-facing personnel to detect and report suspicious activity related to financial crimes.

In order to have AML policies that are aligned with regulations and ensure better implementation of the same for preventing financial crimes.

The rigorous knowledge of AML regulatory framework helps businesses to know what to include in their AML policy to seamlessly integrate it in the operations, how frequently to update the policy and when to audit such AML policy.

Preserve Its Financial Integrity

Knowledge and awareness about AML regulations help businesses maintain financial integrity and implement mitigating measures against financial crimes. Additionally, comprehending the framework governing compliance helps businesses understand what compliance requirements they are supposed to implement.

Knowledge of AML regulations guards financial integrity, helps monitor financial transactions and restrain the business from being exploited by the criminals, and mitigate regulatory risks, and maintain trust with regulators and other stakeholders. This definitely safeguards business reputation in the marketplace.

Avoid Non-Compliance With AML Laws And Avoid Fines, Penalties And Reputational Loss

Understanding the AML regulatory framework helps businesses to know about penalties, fines and criminal charges they may face in case of non-compliance. The imposition of penalties not only leads to financial loss but also demeans the business’s reputation, which leads to business loss and hampers business relationships.

With a grasp of the regulatory framework, businesses could maintain compliance requirements and demonstrate their commitment to fighting global vices, which would help them to avoid penalties and maintain their reputation.

Implement AML Solutions, Tools And Technologies Tailored To Suit The Business

Implementation of AML tools, software and appropriate technologies makes AML compliance efficient and easy. An AML program includes procedures designed to guard against someone using business for the facilitation of financial crime. With knowledge of the regulatory framework, a business can implement the best AML solutions, which are programmed in such a way that incorporate various compliance aspects in its functions such as name screening tools help with sanctions compliance.

When tools come with integration features, then various operational functions such as customer onboarding can be integrated with name screening, KYC, customer due diligence process to help businesses automate their processes and optimize the use of the resources. Additionally, with the implementation of AML solutions that are aligned with the regulatory framework, businesses can improve their efficiency and keep a better check on business activities against potential ML/FT risks.

Foster A Culture Of Compliance And Appropriate Allocation Of Business Resources

A clear understanding of the regulatory framework helps businesses comply with regulations efficiently and thus makes business compliance-focused.

A compliance-focused culture flows from the top management or the senior management of the business. The businesses in India need to have in place adequate personnel training programs to ensure that right from top management, the AML compliance team and customer-facing team are appropriately trained with regard to the potential ML, FT and PF red flags and fulfil the responsibilities of identifying and reporting suspicious transactions to the FIU.

Therefore, businesses should be aware of regulations to foster a compliance-focused culture, which contributes to a positive societal impact. Additionally, businesses with knowledge about regulations know where the risk lies and what resources are required to manage the risks. Thus, they are better at allocating business resources.

Ease In Expanding Business Globally

Knowledge about regulatory frameworks helps enhance overall business performance. Given the global nature of financial crime risks, the awareness and compliance with AML regulations help in growth and create long-term opportunities worldwide.

Businesses that have a better understanding of global AML compliance standards perform better and grow with partnerships and collaborations. Even at a global level, an AML compliance-oriented business gets easy access to markets and country entry, which helps in the expansion of business.

Principal Statutory Regulations For AML In India

To combat financial crimes and help the regulated entities navigate and implement adequate risk mitigation measures, the Government of India has introduced various laws and rules.

Prevention Of Money Laundering Act (PMLA) Of 2002

The Prevention of Money Laundering Act, 2002 (PMLA) is the primary law that governs AML/CFT regulations and guidelines in India.

The PMLA contains comprehensive provisions to combat money laundering (ML), financing of terrorism (FT) and proliferation financing of weapons of mass destruction (PF), which include empowering various relevant authorities such as the Enforcement Directorate (ED), Central Bureau of Investigation (CBI), or Financial Intelligence Unit – India (FIU–IND) to detect, investigate, and prosecute money laundering offences in a timely and effective manner.

The amendments introduced in the PMLA must be considered. With frequent advancements in the financial market and technology across various sectors, new threats of potential ML/FT and PF have developed.

Accordingly, the PMLA has undergone various amendments from time-to-time to address emerging ML/FT and PF risks and ensure continuous alignment with international standards and recommendations issued by the Financial Action Task Force (FATF).

The timely amendments to the PMLA have ensured its relevance and effectiveness in combating evolving financial crimes.

Prevention Of Money Laundering Rules (Maintenance Of Records) Rules, 2005

Complementing the PMLA, the Prevention of Money Laundering Rules (Maintenance of Records) Rules, 2005 (PMLA Rules) is another allied regulations brought into force to enable the prohibition of money laundering activities in India. The PMLA Rules provide operational guidelines for implementing the provisions of the PMLA.

These rules lay down procedures for anti-money laundering compliance, including customer due diligence, record-keeping, and reporting of suspicious transactions.

PMLA Allied Laws

The Unlawful Activities (Prevention) Act, 1967
Weapons of Mass Destruction and Their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005
The Conservation of Foreign Exchange and Prevention of Smuggling Activities Act, 1974 The Benami Transactions (Prohibition) Act, 1988
Sector-specific AML Guidelines Issued by Competent Authorities such as the Directorate General of India-Indirect Taxes and Customs
The Indian Penal Code, 1860
Code of Criminal Procedure, 1973
The Narcotic Drugs and Psychotropic Substances Act, 1985

Directives And Guidelines Issued For AML Compliance

In addition to the principal legislations, the various governing authorities have also released specified guidelines for different categories of reporting entities according to the nature of their activities. Some of these guidelines include:

Guidelines for Reporting Entities (Real Estate Agents) under the Prevention of Money Laundering Act, 2002 (Guidelines for Real Estate Agents)
AML/CFT Guidelines for Reporting Entities (Dealers in Precious Metals and Precious Stones) under the Prevention of Money Laundering Act, 2002 (Guidelines for DPMPS)
IFSCA (Anti Money Laundering, Counter Terrorist-Financing and Know Your Customer) Guidelines, 2022 for units operating in GIFT City, Gandhinagar
AML & CFT Guidelines for Reporting Entities providing services related To Virtual Digital Assets
AML & CFT Guidelines for Professionals with Certificates of Practice from ICAI, ICSI and ICMAI
Master Circulars issued by Reserve Bank of India
Guidelines on Anti-Money Laundering Standards and Combating the Financing of Terrorism Obligations of Securities Market Intermediaries

Regulated Authorities Overlooking AML Laws

Various regulatory authorities in India are responsible for providing frameworks to combat ML/FT. Provided below is the list of authorities working to combat financial crimes:

Ministry Of Finance

The Ministry of Finance is the primary regulatory authority in India, which looks after the financial system, including AML/CFT. Within its body, the Department of Revenue is responsible for drafting laws, policies and guidelines for various financial systems, including the framework for AML/CFT laws.

Additionally, the Ministry of Finance works in collaboration with other authorities in India by providing directions to ensure that the financial system in India follows AML regulations.

Reserve Bank Of India

The Reserve Bank of India, which is the central bank of the country, plays a crucial role by providing consultancy to the central government in prescribing the procedure for maintaining and furnishing information by the reporting entity for compliance with the provisions of the PMLA.

The RBI has also released comprehensive guidelines on Know Your Customer (KYC) and related compliances, to assist the financial institutions in effectively combating financial crimes.

Security Exchange Board Of India

The Security Exchange Board of India (SEBI) is the central authority for the securities market in India. It monitors the stock market to prevent money laundering and financial crimes in the securities market.

SEBI has released “Guidelines on Anti-Money Laundering Standards and Combating the Financing of Terrorism /Obligations of Securities Market Intermediaries”, as mentioned above, which details the various AML measures the security market players have to adhere to protecting the integrity of the India’s securities market.

Insurance Regulatory And Development Authority Of India

The Insurance Regulatory and Development Authority of India (IRDAI) is a regulatory body for the insurance industry in India. It makes sure that insurance companies implement measures for AML/CFT.

In the context, IRDAI also releases details guidelines on AML/CFT compliance for insurance companies and agents operating in India.

International Financial Services Centres Authority

The International Financial Service Centre (IFSC) is set up to develop India as a global investors’ hub. With IFSC entities’ global exposure in terms of business activities and customers, the risk of financial crime becomes more worrisome.

Strong AML program implementation in IFSC entities must be ensured to overcome this risk. To safeguard the business and the economy against ML/FT vulnerabilities, the IFSCA releases AML/CFT regulations and ensures that regulated entities adhere to them.

AML Enforcement Through Specialized Agencies

Various agencies have been constituted in India to prevent money laundering and terrorism financing. Following is the list of agencies working towards the prevention of financial crimes:

Enforcement Directorate

The Enforcement Directorate (ED) is a financial investigation agency under the Ministry of Finance. It investigates offences relating to money laundering and violations of foreign exchange laws and is responsible for the enforcement of provisions laid down under the PMLA.

Financial Intelligent Unit India (FIU-IND)

The Financial Intelligence Unit is a national agency that receives, processes and analyses suspicious financial transactions in India. Just like the ED’s role, the PMLA 2005 has conferred power on FIU-IND to implement the provisions of the Act. All regulated entities, for the purpose of compliance with PMLA, are required to furnish information to FIU-IND to prevent financial crimes in the country.

Cooperation With International Agencies For Combating Financial Crimes

With the advancement in technology and globalisation, there has been a rise in cross-border financial transactions. Thus, international agencies are working with the country to limit cross-border money laundering and terrorism financing.

It is important for businesses involved in export-import or cross-border trade to have relevant knowledge of these regulatory frameworks for compliance measures in combating money laundering and terrorism financing.

Knowledge of these international regulations helps businesses involved in international trade safeguard the integrity of financial transactions, protect the business against criminal activities, and preserve the security of the global financial system.

One such international agency working with India for AML/CFT is FATF.

The Financial Action Task Force (FATF) sets international standards and recommendations for combating money laundering, terrorist financing, and other financial crimes. India became a member of the FATF in 2010 to implement a more advanced regulatory system for AML/CFT.

As a member, India implements these recommendations and cooperates with FATF and other member countries to combat money laundering and related crimes effectively. Businesses in India, when implementing AML policies, procedures, and controls, need to adopt a risk-based approach, including other recommendations by FATF, such as compliance with Targeted Financial Sanctions (TFS), reporting to FIU, etc. to ensure that its AML compliance measures are at par with FATF standards that are globally recognised.

Let’s Safeguard India With Thorough Understanding Of AML Regulatory Framework!

Awareness and compliance with India’s AML regulatory framework are imperative for businesses operating in India. In order to combat ML/FT, businesses in India have to adopt an effective anti-money laundering policy through collaboration and cooperation among different authorities and agencies. With such stringent regulations, guidelines, and measures, India aims to prevent money laundering activities, protect the integrity of its financial system, and contribute to global efforts to combat money laundering and terrorism financing.

Therefore, AML compliance not only safeguards businesses from legal and reputational risks but also acts as a guardian for financial integrity and maintaining accountability in the financial ecosystem.

FAQs On AML Regulatory Framework In India

The Prevention of Money Laundering Act 2002, along with the Prevention of Money Laundering Rules 2005, which were issued under it, form the primary framework for the anti-money laundering laws in India.

Multiple authorities oversee AML enforcement in India. However, the Enforcement Directorate under the Department of Revenue, Ministry of Finance and FIU-IND under the Ministry of Finance are responsible for enforcing the provisions of PMLA 2002.

PMLA 2002 applies to all persons and covers individuals, companies, firms, an association of persons or a body of individuals working as a banking company, financial institution, intermediary or a person carrying on a designated business or profession.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article India

Differences in AML requirements under UAE Federal Law, DIFC and ADGM Rulebooks

UAE’s battle against money laundering and other financial crimes is becoming stronger daily.

Several robust federal and free zone regulations. Effective reporting of suspicious activities. Investigations. Prosecutions. Fines and penalties.

The country has committed to implementing strategies and policies to reduce financial crimes. It also supports global efforts of FATF and other bodies for combatting money laundering and terrorism financing.

Regarding this, the UAE has introduced regulations at a Federal AML regulation, and it’s implementing guidelines, laying down the measures regulated entities must take to combat money laundering and terrorism financing. Since Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) are financial-free zones, they have different regulations for entities operating in these areas. But still, the basis of these regulations remains the two principal Federal AML regulations of the UAE:

Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations
Cabinet Decision No. (10) of 2019 concerning the Implementing Regulation of Decree-Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations

DIFC and ADGM apply the federal law as it is. Additionally, they have implemented AML-specific rules and guidance for the entities established in their respective free zones. A few differences exist between the AML compliance requirements as applicable to units in DIFC and ADGM vis-à-vis units operating in mainland UAE.

Let’s have a look at each of the AML provisions and highlight the differences:

Regulatory authority

Federal AML Regulations

Various Supervisory Authorities have been identified to regulate mainland UAE entities’ AML/CFT compliance.

Units operating in Mainland UAE	Supervisory Authority
Financial Institutions (including insurance companies)	Central Bank of UAE
Lawyers & Legal Consultants	Ministry of Justice
Virtual Asset Service Providers (VASPs) in Dubai	Virtual Assets Regulatory Authority of Dubai
Capital Market & VASP (other than Dubai)	Securities & Commodities Authority
Other Designated Non-Financial Businesses and Professions (DNFBPs)	Ministry of Economy

DIFC

The Dubai Financial Services Authority (DFSA) regulates, controls, and administers AML requirements in DIFC.

ADGM

The Financial Services Regulatory Authority (FSRA) enforces the rules and requirements of AML and CFT in ADGM.

Definition of DNFBP

Federal UAE

The definition of DNFBP in UAE includes the following:

Brokers and real estate agents in relation to the buying and selling of real estate property for the benefit of its customers
Dealer in precious metals or stones
A law firm, notary firm, or other independent legal professionals
Independent Accountants and Auditors
Trust or Company Service Provider

DIFC

In the case of DIFC, the definition changes a bit. Besides the above, it includes:

A real estate developer
Insolvency firm
A person who issues or provides services related to Non-Fungible Tokens (NFTs) or Utility Tokens.

A Registered Auditor is not a DNFBP but is subject to AML Regulations in DIFC.

ADGM

In the case of ADGM, the definition of DNFBP includes a dealer trading any saleable item where the transaction amount equals or exceeds US$ 15,000 in cash through a single transaction or series of connected transactions. Further, it also includes taxation consulting firms explicitly.

Risk-based approach & AML Enterprise-Wide Risk Assessment

Entities must assess the several risks their business is exposed to. These risks may relate to the following:

Nature of the business
Products and services
Customers the entities deal with
Delivery-channels
Transactions

Based on the risk levels, entities must implement measures to tackle those risks. Also, you must keep reviewing the risk assessment to update it with changes at regular intervals. You must also document the findings and results for future reference.

The provisions for a risk-based approach are standard in all three – Federal AML regulations, DIFC, and ADGM, except that the DIFC units are also required to consider the tax-crime risks.

Basis the overall AML risk assessment of its business, regulated entities must develop their AML controls, procedures, policies, and systems to mitigate or manage the AML risks.

Circumstances warranting performance of Customer Due Diligence

Entities must undertake customer due diligence:

When it enters into a business relationship with the customer
When it carries out an occasional transaction valuing more than a defined number with a customer
When it suspects a customer or transaction of money laundering
When it has doubts about the validity or adequacy of information or documents provided by the customer

There are minor differences in the circumstances when CDD is to be performed under three regulations.

Federal AML regulations

As per the UAE Federal AML Law, the threshold prescribed for conducting CDD in case of the occasional transaction is equal to or exceeding AED 55,000. This transaction can be a single transaction or several interlinked transactions.

DIFC

In the case of DIFC, there is no limit on the transaction amount with the customer to carry out CDD.

Further, the entities in DIFC can delay the identity verification of customers and their beneficial owners if:

The AML risk is low
Carrying out verification interrupts or delays the normal course of business

But verification must be completed within 30 business days of effecting the transaction.

ADGM

In the case of ADGM, the defined number is USD 15,000.

Also, entities can delay the identity verification of customers and their beneficial owners if:

The AML risk is low
Carrying out verification interrupts or delays the ordinary course of business

But the entities must complete this verification within 20 business days of effecting the transaction.

Money laundering reporting officer

DIFC and ADGM entities must appoint a Compliance Officer or Money Laundering Reporting Officer who is a resident of the UAE. No such residency-related specific condition is mentioned under the UAE Federal AML Law.

Record keeping

DIFC and ADGM entities must maintain the AML/CFT-related records for a minimum of six (6) years. At the same time, the minimum data retention period prescribed under the UAE Federal AML Law is five (5) years.

AML Annual Return

Units in DIFC and ADGM are required to furnish an AML Annual Return to the respective supervisory authorities.

The entities in DIFC must submit the AML Annual Return to the DFSA by the end of September every year. It covers the reporting year from August 1 of the previous year to July 31 of the reporting year.

While the ADGM units are required to furnish an AML Annual Return to FSRA by the end of April every year, covering the AML/CFT records and data about the previous year from January 1 to December 31.

Niyeahma

This blog clarifies the differences between AML requirements under the Federal AML regulations, DFSA Rulebook and the ADGM AML Rulebook. Generally, the provisions of the Federal AML regulations apply, with specific clauses of the AML and Sanctions Rulebooks issued by the regulatory authorities of the financial free zones – DIFC and ADGM. If you still have doubts, AMLUAE will always help you.

Niyeahma is one of the leading AML consultancy service providers in the UAE. We ensure 100% AML compliance by our clients in the UAE by offering AML support related to the following:

Conducting AML Enterprise-Wide Risk Assessment (EWRA)
Customizing the AML/CFT policies, procedures, and controls
Conducting AML training for the employees
Managing the KYC and CDD of the customers
Assistance in setting up an AML compliance department
Conducting AML/CFT health check
Managing regulatory reporting on the goAML portal and with the Supervisory Authority.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

Top 10 mistakes to avoid while appointing an independent AML auditor

Appointing an independent AML auditor

Appointing an independent AML auditor is one of the crucial functions of the senior management. Anti-Money Laundering audits are necessary to inspect the quality and adequacy of AML policies, procedures, and controls. If these are enough, good; but if not, the authorities recommend corrective actions. Make auditing of the AML framework and the implementation thereof a regular activity.

To conduct such independent audits, you must appoint AML auditors. Some firms also prefer to outsource this task to an independent third party. If you prefer to appoint an internal person, ensure they are unrelated to the AML/CFT team to ensure their independence.

Entities make some common mistakes while appointing an independent AML auditor. You must avoid these mistakes to ensure top-quality audit results. You must include all the critical aspects in your AML auditor appointment process.

What is an independent AML audit?

An independent AML audit means a review of an entity’s AML framework. It evaluates whether the entity’s AML program is enough for the level of risks it faces. It also checks the quality of AML initiatives to prevent money laundering threats. Auditors check whether the entity is doing what is written in the framework.

Thus, an independent AML audit checks the following:

Enterprise-Wide Risk Assessment
AML/CFT framework
AML records, including KYC and CDD records
STRs, SARs, and other reports filed
AML training programs
Transaction monitoring process and results
The adequacy and reliability of Sanction Screening software, KYC software, transaction monitoring software
Past audit reports to review the implementation of the recommendations

With all these assessments, the AML auditor can identify loopholes in your AML framework and implementation thereof. You can improve them to prevent and mitigate ML/FT threats effectively. Thus, independent AML audits aim to strengthen your AML framework and initiatives. You can check its importance and benefits in our blog, “Why is an Independent AML Audit Necessary?”

What is the need for an independent AML auditor?

The auditors help you identify gaps in your AML/CFT framework and the practical implementation thereof. This helps you fight ML/FT better and comply with legal requirements.

If you want to understand the role of an independent AML auditor in UAE, you can check our blog, “Role of an Auditor Under UAE AML Compliance”.

Top 10 mistakes to avoid while appointing an independent AML auditor

While appointing an independent AML auditor, you must avoid the following mistakes:

1. Not considering the relevant qualifications and experiences of the auditor

The first factor entities look for in any candidate for any job is relevant qualifications and experience. The same is the case here.

An auditor needs to have relevant qualifications for the job. With no education in auditing, it is nearly impossible to work on the main tasks of the job. So, if you need an independent AML auditor, you must check the applicant’s qualifications.

Also, auditing experience is a must. Relevant auditing experience ensures that the auditor performs his job well.

2. Not checking the AML auditor’s knowledge of UAE’s AML regulations

The AML auditor must have complete knowledge of the UAE’s AML regulations. They must know the key provisions and implications for an entity. Also, knowledge of the chief aspects to look for in an entity’s AML framework is crucial. The auditor must know the global best practices and the relevant standards issued by the FATF.

They must also have the zest to stay up-to-date on these regulations and changes. Because as laws change, you must tweak your auditing process and criteria. So, keep an eye on this aspect.

3. Not checking if the AML auditor possesses sector-specific knowhow

An AML auditor’s job is a specialised skill job. The auditor must understand the industry risks and possible ML/FT threats. The absence of industry expertise can lead to inadequate or ineffective audit reports. It will not serve your purpose.

So, select an AML auditor who knows the industry risks, trends, and regulations. The regulatory nuances and guidelines differ for each industry. The red flags, reports to submit, and risk types are distinct. The auditor must be familiar with such industry specificities and relevant risks.

So, ensure checking the auditor’s expertise in industry aspects before appointing them.

4. Disregarding the conflict of interest or independence of the auditor

What are your expectations from the AML audit?

An accurate picture of where your AML framework stands and what improvements it needs.

An AML auditor can only show you such an accurate picture if there is no conflict of interest. For example, the audit might be partial if the auditor has close relations with your senior management or any other stakeholder. They might not speak about the real issues with your AML framework.

Such biased, good reviews are pleasing to the eyes and ears. But they are detrimental to your AML compliance. The audit’s effectiveness is questionable. So, stay cautious of such audits and auditors. Check the auditor’s independence to save your AML audit’s objectivity.

5. Not checking AML auditor’s background, references, and testimonials

It always helps to check an AML auditor’s background, references and testimonials. Conduct reference checks by contacting past clients who received their AML auditing services. Check their satisfaction with the auditor’s AML auditing quality and accuracy.

Background check is also essential to see the AML auditor’s relation with any ML and FT activities. Even if not ML/FT, any association with corruption, bribery, trafficking, or other illicit financial activities makes an auditor questionable; their close relation with people involved in such financial crimes is also a concern. So, check all these aspects before deciding on an AML auditor.

Ensure checking the track record of the AML auditor in the appointment process.

6. Not specifying the scope of an independent AML audit

Before shortlisting auditors for an independent audit of your AML framework, understand your requirements. You must enlist your requirements and expectations and define the scope of an independent AML audit.

So, define the objectives of your AML audit process. Mention the scope and expected deliverables from the auditor. Also, mention the areas or risks you want the auditor to focus on. All these must be set before the appointment process starts. Such clarity on your AML requirements lets you express it to auditors to know their take.

7. Not insisting on having an AML audit plan before the start of the audit process

Before appointing an independent AML auditor, check the auditor’s auditing plan. If it is not customised to your needs, think about it again.

So, check with the auditor about their plan for your entity’s AML audit. It would be best if you had answers to the following questions:

Does it address industry-specific AML issues?
Is it a complete plan enough to audit your AML initiatives?
Does the auditor have the necessary resources to conduct an audit?

Answers to these questions are essential for an AML audit unique to your organisation. You have unique risks, risk appetite and tolerance, and AML controls. Also, the audit would not be successful if the essential resources were missing.

So, try to get a customised auditing approach from the AML auditor, including timelines, budget, and resources.

8. Not focusing on the follow-up procedures of AML audits

While appointing an AML auditor, you must also prepare for the audit process. Once the auditor starts auditing your AML initiatives, you must be ready to implement corrective actions. So, start preparing yourself for the follow-up.

The auditor will give you a list of weaknesses or loopholes in your AML frameworks. They will also provide the necessary corrective actions to take. So, at the end moment, you cannot just say no to executing these corrective measures. You must prepare your employees, finances, and projects to take care of the AML issue resolution.

If you ignore these follow-up procedures, you cannot resolve the loopholes. The result is high vulnerability to money laundering and other financial crimes.

9. Not creating transparent channels of communication and collaboration

Communication is vital for any business relationship. You have to communicate your requirements and expectations. Moreover, the AML auditor will communicate the results – loopholes and recommendations. To facilitate this, you must have smooth channels of communication.

Like this, collaboration is also crucial to making the AML auditing exercise successful. Collaboration is possible when you communicate frequently with the auditor on all aspects of the project. So, adopt the following practices to cooperate better with the AML auditor:

Set a single point of contact in your team
Mention the mediums of communication – mail, call, etc.
Allocate persons handling different aspects of the AML audit project
Have frequent meetings to discuss all the findings

All these collaborative exercises will help you address issues and achieve desired outcomes.

10. Not establishing data security and confidentiality agreement

When appointing an independent AML auditor, signing an agreement is crucial. The agreement will have terms and conditions on pricing, timelines, and allocated resources. Another important constituent of this agreement must be data security provisions.

The auditor will have access to all your AML processes and data during the auditing process. So, they must have solid measures in place to protect data confidentiality. They must use secure systems for auditing and permit accessibility to relevant persons.

Key takeaways

Avoid the above mistakes while appointing an independent AML auditor. You can appoint such a person internally or externally. If internal, they must not be from the AML compliance or customer-facing team. But if you do not have internal expertise, getting external help is a better solution.

By appointing an external AML auditor, you can get faster and more accurate audits. You have access to the expertise and specialisation of an experienced AML auditor. You can enjoy detailed, efficient audit reports with positive repercussions for your business. These efficient audits ensure no questions from the regulators on your AML compliance.

Niyeahma’s pivotal role in your AML compliance

Niyeahma is a leading provider of AML compliance services in the UAE. We help you in your journey of creating and implementing initiatives and practices to comply with AML laws in the UAE. We develop, execute, review, and improve AML policies and procedures for your business.

Our professionals have relevant expertise in risk management and AML consulting services. We help you have systems and controls in adherence to the latest AML regulations of UAE. We commit to AML initiatives and ensure your commitment to the same. These initiatives help you prevent, manage, and mitigate money laundering threats. We help entities with AML health checks and independent AML audits.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

STR/SAR Filing on goAML Portal: Common lapses and best practices

The UAE AML regulations mandate the reporting entities to identify the suspicion related to money laundering, terrorism financing or proliferation financing and report such suspicion by filing a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR). When you suspect a transaction or activity, the same warrants prompt STR/SAR filing on the goAML Portal, but beware of the common errors the regulated entities generally commit in the course of STR/SAR filing.

In this article, we have covered some of these lapses in submitting SAR/STR on the goAML Portal and the best practices to manage the same. Before that, let us understand what the UAE AML laws provide for STR/SAR filing.

What are STRs and SARs?

How will you safeguard the business against financial crime?

What actions will you undertake to prevent crimes like money laundering or terrorism financing from occurring?

The answer here is by timely detecting the transaction or activity attempted to carry out money laundering/terrorism financing or suspected to involve proceeds of crime. The laws in UAE need you to monitor your business relationship and transactions continuously, as the risk indicators can be observed at any stage – while onboarding the customer, while executing the transaction or after a transaction is completed. Whenever you detect any suspicious behaviour or unusual pattern, you must investigate further to assess the involvement of money laundering or terrorism financing activities.

After identifying such suspicious activities or transactions, it is important to bring these suspicions to the notice of regulatory authorities to take necessary actions to address these crimes. This is possible by submitting adequate details to the authorities and furnishing reports in the prescribed formats.

In UAE, when any regulated entity identifies a transaction or activity as suspicious, it must file a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR).

A suspicious transaction is one where the transfer, deposit, withdrawal, or flow of funds is doubtful. It occurs when you transact or form a business relationship with a customer to provide goods or services. For example, a customer making multiple purchases of gold using cash in a small denomination or payment for a transaction is being made from a high-risk country. In such cases, you must submit STR with the UAE’s Financial Intelligence Unit (FIU) via the goAML Portal.

Suspicious activity relates to any attempted or unexecuted transaction where the customer acts unusually, or the customer’s behavioural traits suggest any connection with money laundering or terrorism financing. For example, a customer refuses to submit identity documents or does not cooperate in the satisfactory completion of the Customer Due Diligence processes. The other example could be where the customer insists on involving many intermediaries to perform a transaction without any business logic. In such cases, you must report such suspicious activity by filing SAR on the goAML portal.

The main constituents of a STR or SAR are the following:

Parties involved in the transaction
The location of the occurrence of the transaction
Time and date of occurrence of suspicious transaction or activity
The red flags or warning signs detected
Action taken by the regulated entity

A critical question here is how you know a transaction is suspicious.

To ensure that your team understands the ML/FT/PF risk indicators and is alert to spot the same, it is important to have adequate knowledge and understanding of the general and industry-specific warning signs indicating connection with money laundering, terrorism financing or proliferation financing. You must maintain a comprehensive list of such red flags and implement necessary systems and tools, depending on the nature and size of the operations, to detect suspicious activities and transactions.

Let’s look into the common lapses by entities in STR/SAR filing on the goAML portal. We also explore the best practices for managing these gaps and errors for an accurate goAML reporting.

Common lapses in STR/SAR Filing on the goAML Portal

While submitting SARs and STRs on the goAML portal, please avoid these common lapses:

Failing to register on the goAML portal

You cannot submit SARs and STRs with the FIU without registering on the goAML Portal. You must complete the 2-stage goAML registration process to access the Portal to furnish any AML-related report to the FIU or other regulatory authority.

In the first stage, you must register with the SACM (Service Access Control Manager) system. Upon submitting the details, along with the relevant documents – a copy of the trade license, an authorisation letter for the appointment of the AML Compliance Officer, and identity proof of the Compliance Officer, you get a username and secret code. Now, you must install the Google Authenticator App and create an account. After this, you can access the goAML Portal and complete the register as an “Organization”.

Once approved by the supervisory authority, your goAML registration is successful, and you can complete the necessary reporting.

Forgetting to follow the regulatory policies and laws

Submitting accurate and on-time STRs and SARs is a regulatory obligation in the UAE. UAE has also specific guidelines of:

Details to fill in STR and SAR
Documents to submit
Step-by-step procedure

You must keep track of regulatory laws to stay up-to-date on all these points and adhere to requirements on time. If you fail to do so, it will make you non-compliant and hence vulnerable to ML/TF risks.

Providing inaccurate and incomplete information in STRs and SARs

Your SARs and STRs do not serve their purpose if filled out inaccurately. So, you must ensure that these reports are complete and accurate.

In STRs, fill out accurate details on the parties involved in the transaction, date, location, amount, and other relevant information. In SARs, mention the parties, observed risk indicators, and other relevant data points like the action you took to identify such a red flag. While providing these details, double-check the names of parties and other details populated. Also, mention the transaction or customer activity aspect you found suspicious.

Ensure that you attach the relevant documents – identification proof and transaction records. These serve as evidence to support your suspicion of the transaction or activity. Only comprehensive and precise details in SARs and STRs can make these reports useful to the authorities in combating financial crime, as investigation would be possible only when they have all the necessary details.

Also, be cautious while writing down the values in the report. Use simple and straightforward language in your reports. Don’t use jargon and ambiguous terms that confuse authorities using those reports. Be clear. Provide comprehensive information on your suspicion. And report all accurate details collected on the incident.

Delaying the submission of reports

The purpose of these reports – SARs and STRs – is to enable timely action by relevant authorities to prevent financial crime or reduce its impact on the national economy. If you do not submit these reports on time, this action will be delayed. So, you must ensure the prompt submission of these reports.

If you delay, the investigations are held up. Acting at that time would not generate the expected outcomes. Thus, the effectiveness of AML and CFT efforts suffers.

Lack of collaboration with regulatory authorities on STRs and SARs

Your work does not end there after you submit the STRs and SARs. The regulatory authorities might need more information on the reports. They might need more proof to support the reported activity. So, you must stay alert to such messages from authorities. Also, respond quickly to their queries to enable a better investigation. Ensure that no feedback or instructions received from the authorities remain unattended for longer.

Not being accountable and precise in your suspicion

Just a tiny suspicion does not mean you submit the report on goAML. You must conduct your independent and thorough investigation of the related records and seek more information (without tipping off) to determine the existence of a suspicion with reasonable belief. Not all suspicious transactions or activities turn out to be true. But that does not mean you can include any or all suspicions in the STR/SAR.

Conduct sufficient investigation into your suspicions. Assess the transaction, origin and destination, parties involved, medium, and value. Analysing all these factors gives you a better understanding of its doubts. Have experts look into the transaction or activity to decide whether it is suspicious.

Absence of relevant training for staff

Do you have the human expertise to detect suspicious transactions and report them? If not, you are at a loss. You need employees who have the skills to detect suspicious transactions or activities.

These employees must know the general and industry-specific red alerts documented in the entity’s AML/CFT program. Knowledge of these warning signs is essential to detect suspicious transactions. Also, employees must know how to report these suspicions, including the knowledge of the internal STR/SAR forms designed and implemented for the purpose. They must know the data points to mention and the relevant documents to attach.

Employees can have skills in all these aspects only with proper training. You must conduct regular training programs on identifying and reporting suspicions. The identification must be correct, and reporting must be precise in the required format for effective action.

Neglecting data confidentiality and privacy concerns

The data added on suspicious transactions and activities in these reports is confidential. You must not share it with people other than your internal team members working on it.

You must keep the data in STRs and SARs confidential and private, ensuring adherence to the no “tipping off” requirements prescribed under the UAE AML laws.

Not sharing the reports with the senior management

For implementing AML measures, effective communication within the entity is essential. In particular, you must share all the reported suspicions and actions taken with senior management periodically (possibly in the semi-annual AML/CFT report prepared by the AML Compliance Officer).

Sharing information facilitates collaboration and coordination in AML efforts. It helps you combat money laundering and terrorism financing more effectively.

Missing the review of the reporting process

You have a well-defined reporting process on the goAML portal. You have been able to submit the STRs and SARs through this procedure.

But it does not remain the same always. You must conduct frequent reviews of the process, including the formats used for internal STR/SAR reporting, to check for errors or missing parts. You might identify gaps that need improvement. Also, the process must stay relevant to the UAE’s AML laws and align with your AML objectives.

To ensure that alignment and relevance are checked, you must assess the process periodically. Make improvements for effective reporting of suspicious transactions and activities.

Best practices around STR/SAR filing on the goAML Portal

These are the ten critical lapses that can occur during STR/SAR filing on the goAML Portal. Avoid them at all costs to reduce the chances of failure in this process. The likelihood of non-compliance is high if you commit any of these errors.

Some of the best practices you can implement to avert these deficits are:

Register on the goAML Portal and ensure the details furnished on the portal about the entity and Compliance Officer are up-to-date.
Documenting a detailed list of general red flags and industry-specific risk indicators in the AML/CFT policy itself.
Develop a clear reporting hierarchy and step-wise process to be followed by the frontline employees when any suspicion is observed.
Designing a comprehensive internal STR/SAR format, covering the fields to capture mandatory details and the staff’s understanding of the risk indicator involved in a specific activity or transaction.
Having a checklist to ensure accurate and complete details are furnished in the STR/SAR filed on the goAML Portal.
Keeping a log of the reports filed and copies thereof.
Periodically apprise the senior management of the STR/SAR filed, key red flags identified, and the action taken by the entity.
Creating awareness amongst the team around the “no tipping off” requirement.
Immediately adhere to the authorities’ feedback or instructions against the STR/SAR filed.
Mandatory training to the staff at the time of joining and at periodic intervals to keep them aligned with the emerging ML/FT typologies.

Niyeahma’s support in ensuring timely compliance with STR/SAR filing on the goAML Portal

If you want a faultless process of submitting STR and SAR, you can connect with our team. We will help you at every step in identifying suspicious transactions and activities and reporting them to authorities. With our expertise, you can generate accurate, complete, and on-time reports and submit them on goAML.

Niyeahma is a distinguished provider of AML compliance services in the UAE. We keep your business protected and compliant with the UAE’s AML regulations.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

Proliferation Financing Institutional Risk Assessment by FIs, DNFBPs, and VASPs

Have you conducted an Enterprise-Wide Risk Assessment to identify the money laundering (ML) and terrorism financing (TF) risks to your business? Did you factor in the risk you may face on account of proliferation financing (PF)? Is your customer risk assessment methodology comprehensive enough to assess the PF risk your customer poses to the business? Identifying and assessing your business’s vulnerabilities to the threats of proliferation financing is essential. The Executive Office for Control and Non-Proliferation (EOCN) has issued a Proliferation Financing Institutional Risk Assessment Guidance for FIs, DNFBPs, and VASPs.

In its recommendations, the FATF included a thorough assessment of the PF risk and the development of adequate counter-proliferation financing (CPF) measures for managing this risk. As an active member of FATF, the UAE commits to developing detection, prevention, and mitigation measures against PF.

Before we discuss the key highlights of the guidelines and the authority’s recommendations to the private sector, let us understand the importance of proliferation financing risk assessment in safeguarding the business.

Why is proliferation financing risk assessment important?

Proliferation financing means supporting or facilitating the proliferation of weapons of mass destruction (WMD) and their delivery systems. It means providing funds for or facilitating the following activities related to nuclear, biological, and chemical weapons:

Manufacturing
Using
Developing
Possessing
Transporting
Brokering
Trading
Transferring
Transshipping
Stockpiling

It also includes financing or facilitating the delivery of these weapons or their related materials, i.e., dual-use goods or technologies used for illegal purposes.

Unless you identify the potential vulnerabilities, your business may be unknowingly exploited for the above-mentioned proliferation financing activities. Thus, to counter proliferation financing risk, you must assess the potential PF threats at the business level and also at the business relationship level. You must learn how your business is vulnerable to PF risks. You must know the characteristics of PF risks, which you can spot and raise an alert.

You will face enormous penalties if you do not apply CPF measures or willingly or unwillingly engage in proliferation financing activities. It may result in various national and international sanctions, leading to irreversible reputational damage and loss of customer trust and revenue.

So, it becomes essential for you to identify and prevent the proliferation financing risks. This is possible with timely and accurate PF risk assessment and developing an integrated risk management framework, combing anti-money laundering, combating terrorism financing, and countering proliferation financing. The PF risk assessment at the entity level is popularly known as Proliferation financing Institutional Risk Assessment, Proliferation financing Business Risk Assessment, or Proliferation financing Enterprise-Wide Risk Assessment.

EOCN’s guidance on proliferation financing institutional risk assessment

EOCN released a guidance note on PF risk assessment for Financial Institutions (FIs), Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs). The guidelines discuss various risk categories and factors associated with proliferation financing, the methodology the regulated entities must consider in assessing the overall PF risk the business is exposed to, the customer-specific PF risk, and the risk mitigation measures to be implemented as part of CPF.

The guidelines also elaborate on the various questions that can be included in the Know Your Customer (KYC) and Customer Risk Assessment process to assess the PF risk posed by each customer or transaction.

The guidelines also discuss some of the best practices the regulated entities must implement to identify and counter the proliferation financing risk.

Proliferation financing Institutional Risk Assessment

While evaluating the risks of ML and TF, entities must also assess the PF risks. During this procedure, you must handle the following steps:

Assess inherent risks

You must analyze the inherent proliferation financing risk your business is exposed to considering the following risk factors:

Customer and the nature of business activities the customer is associated with
Geography
Products, services, and transactions
Delivery channels
Cyber risks to software and systems

The assessed inherent PF risk can be classified as low, medium, or high, considering the PF vulnerabilities, the risk appetite of the business, etc.

Check the adequacy and effectiveness of controls

The next step is checking the adequacy and effectiveness of control measures. These measures aim to manage and mitigate the inherent risks identified in Step 1.

A control measure is adequate only if it is accurate in risk detection and prevention. The control effectiveness must be determined considering the quality of the control design and the operation efficacy of the controls. The outcome of the control effectiveness can be determined only based on the degree and extent of how well the controls can manage the impact of the risk on the business.

Based on the analysis of the adequacy or deficiencies in the design and operation of the controls, the control measures can be classified as effective, partially effective, or ineffective.

You must conduct frequent reviews of control measures to test effectiveness and sufficiency. If found otherwise, you must take corrective actions.

Identify residual risks

Residual risk = inherent risk (less) controls’ effectiveness

It means whatever risk remains from the inherent risk after considering control measures is the residual risk.

Ongoing risk assessment

When new, emerging risks arise, a risk assessment must be conducted. Based on these new risk scenarios, your control measures must change. Thus, you must frequently review and update PF risk assessment for the business and particular customer.

Proliferation financing (PF) risk mitigating measures

The business must apply adequate PF risk mitigation measures based on the assessed risk and adopt a risk-based approach.

The measures you apply to combat ML and TF risks may also help you fight the PF risks. But pay attention to the PF risk factors while applying these measures to avoid missing the PF-specific threats to your business. These risk-mitigating measures include:

KYC and CDD during client onboarding

During this process, you will identify customers and verify their identities. You learn about customer’s:

Backgrounds
Sources of wealth/funds
The purpose of the relationship
Their ultimate beneficial owners (in the case of a legal entity)
Connection with sanctions or the presence of any adverse media
Association with Politically Exposed Person (PEP)
Primary market and customer base
Engagement in dual-use goods or other controlled goods and, if so, license to trade in such goods

Further, you must include detailed questions in the KYC and customer risk assessment questionnaire to uncover the PF risk the customer may pose. Such questions may relate to the following:

geographies the customer is associated with,
the jurisdictions proposed to be involved in the transactions,
the consistency between the proposed transaction and the customer’s social and economic profile,
ease and cooperation in identifying the UBOs,
ease in identifying the customer’s source of funds and wealth,
delivery channels used – mode of interacting with and onboarding the customer,
customer’s business segment, whether associated with a high-risk industry,
nature of the products or services requested by the customer,
customer’s legal structure – is it overly complex,
reasonableness of the transaction value,
frequency of the transactions executed by the customer, etc.

As applied to the customer, the KYC and customer due diligence measures must also be adopted for the beneficial owners, senior management, power of attorney, and authorized signatories of the customer.

Understanding the customer’s association with dual-use goods or controlled items, either as direct trading or involvement in the shipment or transshipment of goods, is essential to assessing the PF risk.

The customer details must be periodically reviewed to ensure their validity, relevance, and accuracy and to identify any change in the customer profile that may impact the customer’s PF risk assessment.

Customer screening against sanctions and adverse media

As one of the CPF measures, you must screen your customers against a comprehensive and accurate database pertaining to sanctions, watchlists, and adverse media. You must screen the customer and connected persons, including the ultimate beneficial owners, directors, attorney holders, and authorized signatories.

Screen them against various lists to find matches with:

Adverse media or news
Criminal cases
PEPs or close relations with PEPs
Sanctions or association with sanctioned persons
Links with proliferators or proliferation financing activities

The screening results must be considered for determining the customer’s risk profile and the risk mitigation measures required.

Enhanced Due Diligence (EDD)

When the PF risk arising from a business relationship is high, you must apply enhanced due diligence measures. The following is an illustrative list of customer attributes that call for EDD measures:

If a customer is a PEP
If the customer is residing in or has business operations in a high-risk jurisdiction
If the customer engages in products or services with higher risks of PF
If the customer has a highly complex and opaque ownership structure
If the customer is associated with a high-risk business sector
If the customer uses international corporate vehicles for asset structuring and investment needs

Considering the above and other factors, if the customer is assessed as posing an increased risk, you must collect more information from independent sources for customer identification and identity verification purposes. In such high-risk corporate customers, you may reduce the beneficial ownership threshold from 25% to 10% to apply checks on more individuals associated with the customer.

You must conduct frequent and more rigorous transactions and business relationship monitoring. Check their financial data, litigation history, and criminal records to build their risk profile. Whether you start, continue, or exit the business relationship with them, you must get approval from the senior management.

Ongoing monitoring – Business Relationship and Transaction

You must continuously monitor the customer profile and transactions to check the consistency between the customer’s risk profile and the transactions executed by the customer. The frequency of reviewing and updating the KYC and CDD details highly depends on the existing risk profile of the customer. If a customer’s risk profile changes, necessary measures must be immediately applied to manage the changed level of risks, e.g., if the risk changes from low to high, EDD measures must be applied. You must note and report anything found suspicious in a transaction or customer.

Suspicious Activity Reporting

Stay alert to unusual behaviour while onboarding the customer, managing the transaction, and performing ongoing monitoring. If you detect any suspicion indicating the involvement of proliferation financing or customer’s association with PF, conduct further investigation, and if required, submit a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) via the goAML portal.

Employee screening and training

Besides screening your customers, conduct employee screening before hiring them. Check for their competence, integrity, and ethical behaviour. Assess their background to find any linkages with proliferation financing activities.

Everyone in the entity must align with the goals to fight against ML, TF, and PF. So, they must undergo relevant training to detect and deter the exploitation of the business for proliferation financing activities. All employees, including senior management, must participate in PF-specific training. Customer-facing employees or those whose job duties expose them to PF risks must undergo specialized training. Employees who perform transaction monitoring, CDD, KYC, EDD, risk assessments, and screening must get focused training to identify the PF risks while performing their duties.

Overall CPF framework

All these measures help you identify, assess, and combat PF risks. For effective implementation of the counter-proliferation financing framework, adopt the following best practices:

Including the proliferation financing risk factors while conducting an overall Enterprise-Wide Risk Assessment.
Including and integrating CPF in the business’s overall governance framework.
Information manuals on proliferation financing risks must be developed and communicated across the organization, covering the policies, procedures, and controls to identify and effectively mitigate PF risk.
CPF policies must provide guidance on dealing with dual-use goods and detecting and reporting PF-related suspicious activity.
Adequate screening systems that enable timely detection of customers associated with dual-use goods and sanctioned lists must be implemented.
A proper process and system must be deployed to apply asset-freezing measures when any designated entity or person is identified entities. It should also support prompt termination or suspension of business relationships and timely reporting to the EOCN.
The effectiveness and adequacy of the CPF measures must be periodically tested and enhanced.
Before launching new products or services, the entity must assess the PF vulnerabilities.
Process and system must be implemented for mandatory senior management approval before onboarding a customer posing PF risk.

Niyeahma’s role in proliferation financing institutional risk assessment

Since you have understood the necessity of assessing and combating the proliferation financing risk, why not give it the importance it deserves? You must be proactive enough to include them in your overall AML/CFT framework. If you need any support, Niyeahma is at your service.

We are a leading provider of AML, CFT, and CPF compliance services in the UAE. We help our clients fight well against financial crimes, including money laundering, terrorism financing, and proliferation financing. Besides AML compliance services, our consultants and expert professionals help you:

Understand the importance of CPF in the context of financial crimes
Detect and assess the emerging risks of PF
Identify the appropriate measures against PF
Implement these CPF measures and controls to mitigate or prevent PF risks

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

A Guide to Avoiding Common Mistakes in AML Compliance for VASPs

12 best practices for setting up an AML compliance department

A Guide to Avoiding Common Mistakes in AML Compliance for VASPs

With the rise of instances of money laundering in the virtual assets ecosystem, the UAE government introduced anti-money laundering regulations to supervise and safeguard this sector. Virtual asset service providers (VASPs) operating in the UAE must know these rules. You must create a customised AML framework aligning with these rules and regulations, in sync with the nature and size of the virtual asset activities. While implementing them, be careful of the common mistakes to avoid in AML compliance for VASPs for effective results.

This blog explores these common AML compliance challenges that a VASP must avoid. By avoiding them, you are adopting an effective methodology for achieving your AML compliance obligations and protecting virtual assets from ML/FT vulnerabilities. Before covering the mistakes, we’ll understand why the money laundering threats affect VASPs’ businesses.

Why is the threat of money laundering looming over VASP businesses?

What is the primary factor influencing money laundering activities? Disguised or concealed identities. By hiding their identities, money launderers bring illicit money into the legal financial system and layer it with other transactions.

This is so much possible in the case of cryptocurrencies and virtual assets. The reasons being:

The virtual asset transactions are decentralised
These transactions allow anonymity or pseudo-anonymity
High-value and high-frequency transactions are common
Easy and quick transfer of virtual assets from one person to another across boundaries
Regulatory frameworks for VASPs and virtual assets are still evolving

All these reasons increase their vulnerability to money laundering threats. So, virtual asset service providers must stay alert to the standard red flags and ML/FT typologies. These indicators must warn you of suspicious activity, which you can investigate further and prevent financial crime. You can find these red flags in our blog: Unusual Transaction Trends for VASPs.

These red-flag indicators help you spot a suspicious customer or transaction. After spotting, you can avoid or stop them. Besides this, you must follow the AML regulations as applicable to the VASPs (such as the Compliance and Risk Management Rulebook issued by VARA or the rulebooks issued by the ADGM’s FSRA or DIFC’s DFSA, along with Federal AML regulations). Per these regulations, you can achieve AML compliance by applying the following AML measures:

Creating AML framework, including policies, procedures, and controls
Applying appropriate customer due diligence measures, including KYC, screening and risk profiling
Applying adequate KYT (Know Your Transaction) measures
Training your employees on AML and CFT
Complying with FATF travel rule requirements
Maintaining adequate records and information
Monitoring customers and transactions
Reporting your suspicious activities to the FIU

Mistakes to avoid in AML compliance for VASPs

VASPs invest in these measures and implement them in their operations. But during their planning or execution, you might face challenges. The following are the common mistakes to avoid in AML compliance for VASPs:

Inability to manage changes per AML regulatory updates

The world of virtual assets is a new and emerging business territory. People are still understanding its uses and benefits. Meanwhile, money launderers have already started using it for their illicit activities. They are leveraging the characteristics of virtual assets to launder dirty money. That is why the rules for VASPs are still evolving in the UAE to manage criminals’ new and sophisticated money laundering methods.

With such an evolutionary nature, you must keep track of regulatory changes. As and when laws change, you need to adjust your AML policies to them. If you miss these changes, your compliance will be incomplete or inaccurate, leading to penalties.

So, one key AML compliance challenge for a VASP to avoid is operating in an uncertain regulatory market. This leads to inconsistent AML practices. To cover this challenge, monitor the AML updates. As and when new rules are introduced, understand them and make relevant changes in your AML strategies. Thus, you can bring consistent and AML-compliant business practices to your virtual asset activities.

Difficulty in keeping pace with the technological innovations and developments

One common mistake to avoid in AML compliance by VASPs is not upgrading their technologies related to the compliance function.

Blockchain, cryptocurrency, and virtual asset worlds witness new technologies daily. Such technological innovations are a big challenge for VASPs.

You must up your game in the technological development space to bridge the gaps between the tools deployed by the criminals and the technologies you use for combating these crimes. Keep your systems updated and in alignment with the market requirements and the newer money laundering trends and patterns. Upgrade your system’s security and work on data protection. Investing in cybersecurity measures can reduce your vulnerability to security breaches and help mitigate ML/FT exposure.

Failure to assess risks to your business

You are a virtual asset service provider. So, you must know the potential risks to your business. If not, it is one of the severe mistakes around AML compliance. You must immediately get it done to identify and understand the risks and plan their AML control measures accordingly.

You must conduct an enterprise-wide risk assessment (EWRA) to identify the potential exposure to all aspects of your business. The risks can be from any or all of the following-

Customers and other parties involved
Products and services
Geographies of your business or where your customers are from
Delivery or distribution channels
Nature, size and complexity of the transactions
Technologies deployed

These factors might expose you to money laundering or terrorism financing risks. So, identify them, analyse their possible impact, and their level. You must be able to build your own business’s risk profile. A comparison of the risk profile with your risk appetite is the gap you want to fill with your AML efforts.

Remember to repeat this exercise regularly to stay on top of your business’s potential risks. You must update the risk assessment when business conditions and elements change.

The absence of a well-defined, customised AML framework

One of the critical aspects of AML compliance is the documented comprehensive AML framework. Without an AML framework, you do not have the policies, strategies, procedures, and controls. You must have a well-defined AML framework tailored to your business and the outcome of the ML/FT business risk assessment. These help you follow the AML compliance requirements and safeguard your virtual asset activities.

After the risk assessment, you need an AML compliance program to mitigate or manage these risks. It must have the following:

Relevant AML policies per your AML goals
Procedures for due diligence before customer onboarding and during business relationship
Checklist of red flags and process to spot them
Record-keeping and reporting systems for AML
Internal controls to combat these risks
Norms to comply with KYT and travel rule requirements
Procedures for ensuring effective implementation of the targeted financial sanctions

You must communicate these to all your departments and employees. Also, get approval from the senior management. Also, you must update the framework with regulatory amendments and revisions in business risks.

No focus on the customer due diligence

Customer due diligence is a critical part of any AML compliance program. Its correct and on-time performance is a vital AML compliance challenge for VASPs. However, this process is crucial for identifying suspicious customers and managing vulnerabilities.

Your CDD process must include:

Knowing your customer: You must collect the identity details of your customer, along with evidence. For legal entities, collect information on beneficial ownership, nature of business, etc.
Knowing your transaction: You must know the originator and beneficiary of a virtual asset transaction. Collect details on wallet addresses, transaction hashes, device identifiers, and other points that help you know it better.
Customer screening: The pseudo-anonymity of a virtual asset transaction makes it riskier. So, you need to be extra careful with whom you are dealing. You must match your customers against lists of sanctions, PEPs, terrorists, and adverse media. If matched, make informed decisions to ensure compliance with laws and management-approved risk appetite.
Customer risk profiling and enhanced due diligence for high-risk customers: The above three assessments help determine whether a customer or a transaction is high, medium, or low risk. Once you know the high-risk customers, you must apply enhanced due diligence for extra care. Seek information on the source and destination of funds, check their legitimacy, and double-check beneficial owners. Do not form a business relationship or conduct the transaction if it is doubtful.

Thus, all these steps of customer due diligence ensure you are in a better AML compliance position. You know your customers and their risk profiles so that you can decide accordingly. Such risk assessment allows you to take a risk-based approach to AML compliance.

No plan in place to Know Your Counterparty VASP

A virtual asset service provider sells, holds, exchanges, converts, safe-keeps, or transfers virtual assets on behalf of other legal or natural persons. So, in such virtual assets activities, more than one VASP is involved, and thus, such counterparty VASP may also pose a certain degree of risk, influencing the transaction. So, knowing your counterparty VASP is crucial for any virtual asset service provider.

Failing to do this is a crucial mistake to avoid in AML compliance for VASPs. So, you must make it a practice to check and know your VASP before engaging in a transaction. You can check the importance of this requirement on our blog: FATF Travel Rule and Know Your Corresponding VASPs.

Like customer profiling, check your counterparty VASP’s beneficial ownership. Make it a practice to check their compliance with the AML regulations. All these details will give you a better view of how legitimate or illegitimate their business is and what sort of risk it can bring to the virtual asset transaction.

Lack of AML training for employees

You must be aware of the applicable AML regulatory landscape. Besides, everyone in your team handling customers, transactions, or any other AML compliance procedure must learn about the process, including the senior management. All this knowledge enables the adequate performance of your business responsibilities while considering the AML measures and compliance obligations.

So, you must design a comprehensive AML training program for your employees. Include theoretical and practical training to facilitate a better understanding of procedures. Provide practical examples of cases with relevant live training on CDD, transaction monitoring, and sanction screening. It makes the conceptual clarity better and more accurate.

If not internally, you can hire an external AML consultant for imparting training. Partner with someone with expertise and experience in training different industries. Missing such training is a big mistake to avoid in AML compliance for VASPs.

Inability to find the right balance between user privacy and AML compliance requirements

The design and delivery of virtual assets is such that you can ensure anonymity. However, AML compliance requires you to gather all details on your customers. So, a proper balance between the two is essential. This is a big AML compliance challenge that VASP must avoid.

Virtual asset transactions sometimes enable the concealment of true identities. Some cryptocurrencies, like privacy coins, enhance anonymity and privacy.

This is in contrast to the AML requirements that VASPs must adhere to. You must get the customers’ identity and other details to fulfil the needs of KYC and CDD under AML. So, you need to find a balance between this anonymity and AML requirements.

Insufficient and incomplete records and reports

Another mistake to avoid in AML compliance for VASPs is insufficient recording and reporting. If you don’t keep records, it would be treated as non-compliance with record-keeping requirements, and also, you won’t have evidence to prove your regulatory compliance. Also, you’ll be unable to submit reports to authorities without such records. So, pay close attention to maintaining records and submitting reports to authorities.

Maintain records of KYC, CDD, customer screening, EDD, KYT, transactions executed, etc. Also, create and save records of transaction monitoring and suspicious transactions identified. These records must be up-to-date, comprehensive, and accurate. Authorities might ask for them during audits and investigations.

Another need is to create comprehensive reports of your AML measures and submit them to the necessary authorities. One mandatory provision is submitting a report on suspicious transactions and activities. Forgetting to do so leads to non-compliance and penalties. So, comply with the reporting and recording requirements of AML compliance in UAE.

You must be aware of and avoid these common mistakes in AML compliance for VASPs. By avoiding them, you make your AML compliance practices effective.

Niyeahma – your partner for professional AML consulting services

Niyeahma is one of the leading providers of AML consulting services to the VASPs operating in the UAE. We help clients face AML compliance requirements with complete preparations. You can find help with:

Conducting the ML/FT enterprise-wide risk assessment
Creating and implementing AML policies and procedures
Training your employees
Monitoring transactions
Managing your KYC and CDD compliance

For any help in AML compliance, you’ll have the support of Niyeahma.

So, get on a call with our team and discuss your requirements.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE